On March 6, 2018, the World Economic Forum (WEF) published a white paper report analyzing challenges that financial services and fintech firms face in protecting customer information against the increasing risk of cyber-attacks and setting out proposals to better manage this cyber-risk.[1] As described below, the report recommends industry-wide efforts to adopt standardized cyber-risk metrics and to develop mechanisms for assessing cybersecurity. In conjunction with the publication of these recommendations, Citigroup Inc., Kabbage, Inc., Zurich Insurance Group AG and the Depository Trust & Clearing Corporation have formed a consortium to address cybersecurity risks in the fintech industry.[2]

The report identifies two industry-specific challenges to protecting sensitive customer data. First, the report states that technological innovation within the financial and fintech industries makes these industries increasingly vulnerable to cyber-attacks. Technological innovations have created new vulnerabilities by “incentiviz[ing] and facilitat[ing] the collection of large amounts of data” and enabling companies to “transfer and share data more easily.”[3] Further, the development of artificial intelligence and machine learning has supported the development of more sophisticated cyber-attack capabilities.[4]

Second, the report recognizes the unique challenges faced by financial services firms in managing cyber-risk.[5] As a general matter, the report finds that the financial services industry lacks sufficient cyber-security expertise through limited tools to assess and quantify cyber-risk, limited talent to manage cyber-risk and limited customer awareness on cybersecurity best practice. Regulatory fragmentation and gaps that exist in the current regulatory framework also increase cyber-risks for the financial services industry. In addition, while collaboration among firms and industries is key to enhancing cybersecurity, the report found most industry led initiatives have been uncoordinated and inconsistent.[6]

In terms of proposals for bettering managing cyber-risk in the financial services and fintech industries, the report primarily focuses on two specific recommendations. First, the report recommends the creation of standardized and accurate cyber-risk metrics to measure the “likelihood of a cyber-attack and the magnitude of an associated loss.”[7] Such metrics would both help management and boards of directors understand cyber-risk exposure and support the development of “more accurate risk-based controls.”[8] The report also recommends the creation of a joint industry venture to develop a preliminary set of metrics that may ultimately “be used to support public-private collaboration, if regulators and companies can work together to agree on risk-based, rather than compliance-focused, metrics.”[9]

Second, the report recommends the “development of cybersecurity guidance and assessment mechanisms for fintechs [to] help incumbents and challengers to better identify and adopt best practices.”[10] These include “common principles for cybersecurity assessments and guidance for execution; a point-based scoring mechanism using the assessment criteria; and guidance on practical steps to improve an organization’s score.”[11] The report proposes that a working group of key stakeholders, including incumbents, fintechs and technology companies collaborate to create “a set of best practices that would meet regulatory guidance, and offer practical steps to increase security.”[12]

The report makes clear that WEF intends to take further steps, working in collaboration with key stakeholders in the financial services and fintech industries, to develop appropriate cyber-risk metrics and assessment mechanisms along the lines discussed above. In addition, the report emphasizes the importance of cooperation both within and across the public and private sectors to create innovative, technological solutions to protect consumer data against cyber-risks and identifies a large number of additional best practices that firms should consider in managing their cyber-risks.

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

Francesco De Biasi’s practice primarily focuses on private enforcement and internal investigations of corporate wrongdoing, with a focus on the requirements under Legislative Decree 231/2001, as well as on corporate, civil, labor law and data protection matters related to white collar crimes.